Budget is Biggest Barrier to Cybersecurity, Local Government CIOs Report

Money is the single biggest barrier to local governments achieving the highest levels of cybersecurity. From not being able to pay competitive salaries to an insufficient number of cybersecurity staff, local governments are unable to deliver cybersecurity protection because their budgets don’t match their tasks.

The International City/County Management Association (ICMA) surveyed more than 400 local government CIOs for the Cybersecurity 2016 Survey, released this month. In an interview with 21st Century State & Local, Berna Öztekin-Günaydın, research associate at ICMA, discussed the survey results and how state and local governments can best shore up their cybersecurity protections.

While local governments in the mountain region of the U.S. were overrepresented and governments in the Mid-Atlantic and East South-Central regions were underrepresented in the survey, it’s still possible to draw out some understanding of how different regions are performing in terms of cybersecurity.

“It is difficult to generalize, but among the respondents, the percentage of jurisdictions with a formal system of cybersecurity management is higher in the South Atlantic, Mountain and Pacific Coast regions,” Öztekin-Günaydın said. “Also, the percentage of respondents that take certain actions to improve their cybersecurity practices are higher in the South Atlantic, Mountain and Pacific Coast regions.”

The survey found that cybersecurity threats are on the rise. Nearly a third of respondents reported an increase in cyberattacks during the past year. However, the budget and government workforce aren’t able to keep up with increasing threats. The majority of respondents said that their inability to pay competitive salaries prevented them from achieving high levels of cybersecurity. The pay discrepancy between private and public sector jobs is especially concerning given the talent shortage in the cybersecurity field. ICMA noted that there are one million unfilled jobs, and that the talent shortage is expect to grow to 1.5 million by 2019.

For states with a limited cybersecurity budget, Öztekin-Günaydın has suggestions on where to invest their time and money to improve the state’s cybersecurity posture.

“Training staff to make them aware of the threats is very important and can be done at low cost,” Öztekin-Günaydın said. “Teaching elected officials, employees, volunteers, interns and contractors about the risks inherent in their e-mail and Internet usage; the common scams; the importance of security practices; and the consequences that can result from security breaches would help significantly.”

In addition to training, Öztekin-Günaydın shares the top investments she believes local governments should consider to improve their cybersecurity:

Having a layered defense system accounting for various security challenges that organizations face is crucial to secure information systems.

Having assessments that can identify a system’s vulnerabilities and where to allocate available funding to build cybersecurity capabilities would be helpful for organizations with limited budgets.

Doing regular scanning and testing of the system, and having a recovery plan to determine what steps should be taken when a cyberattack takes place.

Survey respondents ranked better cybersecurity policies as the No. 2 thing most needed to ensure the highest level of cybersecurity for their local government–increasing funding was No. 1. Creating, or even improving, cybersecurity policies can be a daunting task. How can state and local governments streamline the process? What is the best jumping off point when looking to improve policies?

Öztekin-Günaydın said local governments should look to their peers for ideas on how to improve policies.

“Rather than reinventing the wheel, local governments can begin the process by examining the successful best practices employed by other communities,” Öztekin-Günaydın said. “For example, DeKalb County, Ga., is very proactive in their approach to cybersecurity and they do a lot of education internally to support their approach. Las Vegas, Nevada, and Jefferson County, Ala., also have good cybersecurity practices based on our survey findings.”